what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2000-11.kerberos

CA-2000-11.kerberos
Posted Jun 12, 2000
Site cert.org

CERT Advisory CA-2000-11 - MIT Kerberos vulnerable to denial-of-service attacks. Several new buffer overflow vulnerabilities were found in Kerberos 4, Kerberos 5 with v4 support, KerbNet, and Cygnus Kerberos. Due to the use of static buffers, these vulnerabilities do not allow remote execution of arbitrary code.

tags | remote, overflow, arbitrary, vulnerability
SHA-256 | d96c4bdd107b1255a3004276121d75e0c5c68ad148f76745301d12d5346d2095

CA-2000-11.kerberos

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service
Attacks

Original release date: June 9, 2000
Last revised: --
Source: The MIT Kerberos Team, CERT/CC

A complete revision history is at the end of this file.

Systems Affected

* Systems with MIT-derived implementations of the Kerberos 4 KDC
* Systems with MIT-derived implementations of the Kerberos 5 KDC
enabled to handle krb4 ticket requests

Overview

The CERT Coordination Center has recently been notified of several
potential buffer overflow vulnerabilities in the Kerberos
authentication software. The most severe vulnerability allows remote
intruders to disrupt normal operations of the Key Distribution Center
(KDC) if an attacker is able to send malformed requests to a realm's
key server.

MIT reports that the following versions are vulnerable to one or more
of these vulnerabilities:
* MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
* MIT Kerberos 4 patch 10, and probably earlier releases as well
* KerbNet (Cygnus implementation of Kerberos 5)
* Cygnus Network Security (CNS -- Cygnus implementation of Kerberos
4)

Other versions may be affected as well.

The vulnerabilities discussed in this advisory are different than the
ones discussed in CA-2000-06, Multiple Buffer Overflows in Kerberos
Authenticated Services. The primary difference is in the impact: the
new vulnerabilities do not appear to allow remote execution of
arbitrary code since the buffers being overrun are statically
declared. In addition, only Kerberos 4 and Kerberos 5 KDC servers that
can service version 4 ticket requests are affected by the buffer
overflows discussed here.

I. Description

There are at least five distinct vulnerabilities in various versions
and implementations of the Kerberos software. All of these
vulnerabilities may be exploited to effect denial-of-service attacks
with varying degrees of severity. These vulnerabilities include
* The buffer used to hold the variable lastrealm in the function
set_tgtkey() can be owerflowed.

* The buffer used to hold the variable localrealm in the function
process_v4() can be overflowed.

* The buffer to hold the variable e_msg in the function
kerb_err_reply() can be overflowed.

* The code that services AUTH_MSG_KDC_REQUESTs does not properly check
for null-termination.

* Memory that has previously been freed may be improperly freed again,
possibly resulting in unstable operation.

The MIT Kerberos Team Advisory

The MIT Kerberos Team described these vulnerabilities in more detail
in an advisory they recently issued. This advisory is available at

http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

II. Impact

Depending on the version of kerberos, the environment in which its
running, and the particular vulnerability that is exploited, a remote
attacker can cause one or more of the following:
* The KDC to issue invalid tickets for all principles,
* The KDC to generate a "principal unknown" error, or
* The KDC process to crash.

Any new authentications to kerberized services will not be possible
until the KDC is restarted. Note that this implies that operation of
"kerberized" services will be halted until the KDC is stopped.

It does not appear that any of these vulnerabilities allows the
execution of code by an intruder.

Additional detail can be found in the MIT advisory.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.

Apply the MIT patches

If you are running a Kerberos distribution from MIT and can rebuild
your binaries from source, you can apply the source code patches from
MIT to correct these problems. These patches are available in the MIT
Advisory.

If you are running other MIT-derived implementations, you need to
apply the appropriate vendor patches and recompile the KDC server
software.

Disable Kerberos version 4 authentication in Kerberos version 5 if possible

As suggested by MIT, krb4 authentication in some daemons can be
disabled at run time by supplying command-line options to the KDC
server. Optionally, the krb5 distribution may be compiled with the
option '--without-krb4' to disable all krb4 ticket handling by
default.

Upgrade to MIT Kerberos 5 version 1.2

The vulnerabilities described in this advisory will be addressed in
Kerberos 5 version 1.2. This version will be available from the MIT
Kerberos web site:

http://web.mit.edu/kerberos/www/

Appendix A. Vendor Information

MIT Kerberos

The MIT Kerberos Team advisory on this topic is available from:

http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

BSDI

BSDI is working on a patch for this problem and will announce it via
our normal channels as soon as it is available.

NetBSD

Versions of kerberos which have been integrated into released versions
of NetBSD and distributed as part of the optional, not-for-export
"secr" sets are vulnerable to some of the problems cited in the
advisory. Integration of the fixes is in progress and will be
announced in a NetBSD security advisory when complete.

University of Washington

[...] we don't distribute client or server binaries with MIT Kerberos
support.

We distribute source that allows building on UNIX and PC with MIT
Kerberos. A site which wants to use Kerberos must build our software
(e.g. Pine, imapd, ipop[23]d) locally in order to use MIT Kerberos.

I did not see anything in this alert that specifically indicates a
problem for [our] clients or servers. As with all other software built
with MIT Kerberos, it would be prudent for a site that uses our
software with MIT Kerberos to rebuild it with the patched version of
MIT Kerberos.
_________________________________________________________________

The CERT Coordination Center thanks Tom Yu and the MIT Kerberos Team
for notifying us about these problem and their help in developing this
advisory.
_________________________________________________________________

Jeff Havrilla was the primary author of the CERT/CC portions of this
document.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2000-11.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University, portions copyright MIT
University.

Revision History
June 9, 2000: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA+AwUBOUFiJVr9kb5qlZHQEQIUIQCXTUeGxhNzkNyK68SlBGfFBcKvRQCfV0SD
tkaHNO/JcqwISZps0WN6QGE=
=3mms
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close